Re: Re: Why use taint

This is an archived low-energy page for bots and other anonmyous visitors. Please sign up if you are a human and want to interact.

Next time, reply to the node you're commenting on, please.

I don't use -T, but I think its use is highly overrated. I don't like -T because I trust my own code, find tainting very restricting and don't like the enormous overhead untainting involves.

If there's one thing I hate, it's code like:

($var) = $var =~ /(.*)/s; # untaint $var

# ... or ... (and the following idiom is used a lot more often (why?))

$var = $1 if $var =~ /(.*)/s;
[download]

But code like that is seen very, very often. And that's because tainting is often recommended without telling it's not needed when you don't do system calls.

44696420796F7520732F2F2F65206F
7220756E7061636B3F202F6D736720
6D6521203A29202D2D204A75657264

Comment on Re: Re: Why use taint Download Code

Replies are listed 'Best First'.

Re: Re: Re: Why use taint
by theguvnor (Chaplain) on Mar 09, 2002 at 20:55 UTC

I was replying to the node to which I was commenting. I also happened to reference your reply to the same node, in my reply. If I had split my response I would have been --ed for lowering the signal-to-noise ratio, so I guess I'm damned if I do, damned if I don't.

</rant>

I was actually agreeing with you for the most part - tainting is not always required as you point out. But for CGI parameters where the user input does get anywhere near the system, I think it's a useful warning mechanism that there could be unsafe programming.

..Guv

[reply]

• hippo

‥ epoptai's answer Re: how do I set a cookie and redirect was blessed by hippo!

• erzuuli

‥ Anonymous Monks are no longer allowed to use Super Search, due to an excessive use of this resource by robots.


"be consistent"
	PerlMonks